Lucene search

K
ibmIBM49386F47EADE0DE732D1E2EAE22745F6CAE3F555FC24C1D5930A01C94E1FF41D
HistoryFeb 22, 2024 - 4:22 p.m.

Security Bulletin: IBM Sterling B2B Integrator affected by multiple vulnerabilities due to snappy-java

2024-02-2216:22:01
www.ibm.com
9
ibm sterling b2b integrator
snappy-java
vulnerabilities
update
fixed versions
denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

46.6%

Summary

IBM Sterling B2B Integrator uses snappy-java. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

**CVEID:**CVE-2023-34455 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-34453 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-34454 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling B2B Integrator 6.0.0.0 - 6.0.3.8
IBM Sterling B2B Integrator 6.1.0.0 - 6.1.0.7, 6.1.1.0 - 6.1.2.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product Version APAR Remediation & Fix
IBM Sterling B2B Integrator 6.0.0.0 - 6.0.3.8 IT44182 Apply 6.0.3.9
IBM Sterling B2B Integrator 6.1.0.0 - 6.1.0.7, 6.1.1.0 - 6.1.2.3 IT44182 Apply 6.1.0.8, 6.1.2.5 or 6.2.0.0

The IIM versions of 6.1.0.8, 6.0.3.9 and 6.1.2.5 are available on Fix Central. The IIM version of 6.2.0.0 is available on Passport Advantage

The container version of 6.1.2.5 and 6.2.0.0 are available in IBM Entitled Registry.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_b2b_integratorMatch6.0.0.0
OR
ibmsterling_b2b_integratorMatch6.2.0.0
VendorProductVersionCPE
ibmsterling_b2b_integrator6.0.0.0cpe:2.3:a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
ibmsterling_b2b_integrator6.2.0.0cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.0:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

46.6%

Related for 49386F47EADE0DE732D1E2EAE22745F6CAE3F555FC24C1D5930A01C94E1FF41D